Prevent exposure of sensitive data against PCI standards - response.getWriter().write(xml.toString())

Question

I am fixing code against the code audit report. It says \"PREVENT EXPOSURE OF SENSITIVE DATA\" against the line having the syntax response.getWriter().write(xml.toString()

Answer 1

The content.toString() needs to be properly validated. use ESAPI to validate it strictly. writing directly to response is really vulnerable and if if the data is output from a method having request as input then its twice vulnerable. major security issue.